Auth scheme in 401 response header

Hi all,

I’m a web developer looking for an appropriate http status code for situations when the user submits an invalid password. 

AFAIK, it is commonly understood that 401 is the most suitable but it requires that a WWW-Authenticate header is sent back. However, this header needs to mention the authentication type and the list of valid authentication schemes (as found at ) doesn’t include anything related to cookies. Google led me to a draft proposal by Thomas Broyer ( which seems to have quietly died almost a decade back. 

I would be grateful if someone could throw some light on current guidance what authentication scheme to use in the www-auth-header with the 401 response when the user submits a wrong password.

Look forward to hearing from you..


Received on Monday, 29 January 2018 06:12:14 UTC